Today

• Most Chinese banks use ActiveX controls and are thus inoperable in Firefox.
• Mozilla China has been working with CCB (ccb.com.cn) to enable its website to work with Firefox 3.6 and 4.0, using add-ons.
• Many banks are using USB identity tokens and/or smartcards.
• A very large majority of users are using Windows XP, which does not have built-in drivers for identity tokens, unlike Windows 7. (TODO: How many banks' identity tokens are plug-n-play in Windows 7.) These drivers use the Windows CryptoAPI CSP interface to expose the certificates on the identity token to applications that use CryptoAPI. However, Mozilla products currently do not use CryptoAPI; we have our own solution based on PKCS#11.
• Some banks are using security tokens from multiple manufacturers, which may require different drivers and/or CSP/PKCS#11 DLLs.

CCB Bank

Description of Mozilla China's CCB solution

• Multiple plugins are installed:
  • From Li: "They use a separate ActiveX control for any operation that they think should be protected – login, inputing a $$ amount for transaction, etc. So they would use a good number of these controls in a typical online banking session."
  • One or more are used to communicate with the smart card.
• An extension specific to ccb.com.cn is used to improve the PSM client certificate selection UI, to show more information about each certificate (e.g. validity period) in the list, and to expand the identity token's list of certificates in the tree.
• CCB's helper package installs a CCB-bank-specific root certificate; the exact technical reason for this isn't clear yet. This has possible negative security implications for non-CCB websites.
• One or more PKCS#11 modules are installed, to enable access to the hardware identity token from within Gecko.

Possible immediate improvements

Note: This is just a list of *possible* improvements, because we do not know enough about the current solution yet. Some or all of these improvements might be unrealistic.

• Stop installing the CCB-bank-specific root and disable it on users' computers.

 There are two kinds of server certificates, one's CA is VeriSign,the other's CA
 is CCB. You can get it by visiting the two links below:
 https://ibsbjstar.ccb.com.cn/app/V5/CN/STY1/login.jsp
 https://ca3.ccb.com.cn/ 
 Why CCB uses two different kinds of server certificates, it's not clear yet.
 So, when accessing links like https://ca3.ccb.com.cn, Fx will throw an exception,
 so does IE. CCB's helper package adds "CCB CA ROOT" certificate into Fx and 
 IE's  certificates trusting list to avoid it. 

• Remove the need for CCB's extension that improves the PSM client certificate selection UI, by making those UI improvements inside the base UI.

 It would be great.

• Drivers for identity tokens used by Chinese banks can be bundled with the browser and/or downloaded automatically on demand.

 The helper serves not only for Fx but also other browsers including IE.
 I don't think it's practical to include all kinds of drivers in to our browser.

• Try to reduce or eliminate the use of plugins for UI, as much as possible. Providing an open-source HTML/CSS/JS reference implementation of these UI improvements (with a liberal license) might accelerate this.

 I totally agree, but it depends on the bank sides.

• For UI plugins that cannot be replaced, develop open-source versions that we can ship in an extension bundled with Firefox China Edition.

 I don't think CCB would agree with it. CCB regards all the codes as commercial  
 confidential.

Open Questions / Action Items

1. Improve communication between Mozilla China and Platform/PSM. bsmith is willing (eager, even) to go to Beijing if that would be helpful.
2. Coordinate a video/screen-sharing meeting between Mozilla China and Platform/PSM (bsmith and kaie), so that Platform/PSM can better understand the problem.
3. Have Platform/PSM help Mozilla China with any improvements that Mozilla China wants to make to Gecko to support their needs.
4. What is the exacty purpose of CCB's root certificate? After installing the helper package, if we remove the root certificate from the certificate database using the Certificate Manager UI, then what specific parts of the website break?
5. What protocols and/or APIs are being used for the security of the bank? Are they using standard SSL client authentication? Are they using a solution with an API similar to the one used in Korea?
   1. They are using standard SSL client authentication
6. Wei mentioned that CCB uses three vendors for identity tokens. Who are these three vendors?
   1. [watchdata]: [contact information] [1]
   2. [bdtech]: [contact information] [2]
   3. [HuaDaZhiBao]: [contact information] [3]
7. Get somebody in Mountain View (e.g. bsmith) access to a CCB bank account and hardware identity token, so that Platform/PSM can better support Mozilla China's efforts.
8. There are several plugins in the CCB helper package. What are these plugins and what do they do?:
   1. [npCCBEnckey.dll] [password input control instead of W3C password input]
   2. [npCCBInfoScan.dll] [check users' laptop enviroment, OS version, Firefox version, IE version and so on]
   3. [npCCBNetSignCom.dll] [signing transaction data]
   4. [npdmwritecert.dll] [update certificate into bdtech's smart card, provided by bdtech.]
   5. [npdmccbplugin.dll] [read infomation from bdtech's smart card, provided by bdtech.]
   6. [npHDZBCertCtrl.dll] [update certificate into HuaDaZhiBao's smart card, provided by HuaDaZhiBao.]
   7. [npHDZBSNCtrl.dll] [read infomation from HuaDaZhiBao's smart card, provided by HuaDaZhiBao.]
   8. [npWDImportCertCtrl.dll] [update certificate into watchdata's smart card, provided by watchdata.]
   9. [npwdkctrl.dll] [read infomation from watchdata's smart card, provided by watchdata.]

Generalized Solution for Other Banks

Open Questions

• How similar are other Chinese banks' websites to CCB's?
• What other banks are willing/eager to work with us to get Firefox working with their site?
• If the other banks' websites work similarly, and if we can minimize the number of closed-source plugins that are needed for the CCB solution, then we can probably greatly accelerate the enabling of Firefox compatibility on other banks' websites.

Other Payment Systems

• Taobao/Alipay: In its original form, it is not compatible with Firefox either, but Mozilla China collaborated on an addon for Firefox. People have to install that addon manually.